fix: move the check to get methods

all .post methods will have csrf

src/middleware/header.js

@@ -26,7 +26,11 @@ module.exports = function (middleware) {
 		res.locals.isAPI = false;
 		async.waterfall([
 			function (next) {
-				middleware.applyCSRF(req, res, next);
+				if (!req.isSpider()) {
+					middleware.applyCSRF(req, res, next);
+				} else {
+					setImmediate(next);
+				}
 			},
 			function (next) {
 				async.parallel({

src/middleware/index.js

@@ -32,15 +32,7 @@ middleware.regexes = {
 	timestampedUpload: /^\d+-.+$/,
 };
 
-const csrfMiddleware = csrf();
-
-middleware.applyCSRF = function (req, res, next) {
-	if (req.uid >= 0) {
-		csrfMiddleware(req, res, next);
-	} else {
-		setImmediate(next);
-	}
-};
+middleware.applyCSRF = csrf();
 
 middleware.ensureLoggedIn = ensureLoggedIn.ensureLoggedIn(nconf.get('relative_path') + '/login');
 

src/routes/api.js

@@ -8,7 +8,13 @@ module.exports = function (app, middleware, controllers) {
 	var router = express.Router();
 	app.use('/api', router);
 
-	router.get('/config', middleware.applyCSRF, controllers.api.getConfig);
+	router.get('/config', function (req, res, next) {
+		if (!req.isSpider()) {
+			middleware.applyCSRF(req, res, next);
+		} else {
+			setImmediate(next);
+		}
+	}, controllers.api.getConfig);
 
 	router.get('/me', middleware.checkGlobalPrivacySettings, controllers.user.getCurrentUser);
 	router.get('/user/uid/:uid', middleware.checkGlobalPrivacySettings, controllers.user.getUserByUID);

test/controllers.js

@@ -60,6 +60,35 @@ describe('Controllers', function () {
 		});
 	});
 
+	it('should load /config with csrf_token', function (done) {
+		request({
+			url: nconf.get('url') + '/api/config',
+			json: true,
+		}, function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 200);
+			assert(body.csrf_token);
+			done();
+		});
+	});
+
+	it('should load /config with no csrf_token as spider', function (done) {
+		request({
+			url: nconf.get('url') + '/api/config',
+			json: true,
+			headers: {
+				'user-agent': 'yandex',
+			},
+		}, function (err, response, body) {
+			assert.ifError(err);
+			assert.equal(response.statusCode, 200);
+			assert.strictEqual(body.csrf_token, false);
+			assert.strictEqual(body.uid, -1);
+			assert.strictEqual(body.loggedIn, false);
+			done();
+		});
+	});
+
 	describe('homepage', function () {
 		function hookMethod(hookData) {
 			assert(hookData.req);